Privacy in Action

How will companies actually respond if the Specter-Leahy bill, or something similar, is enacted into law? Two pieces of earlier legislation that mandated data protection systems for specific industries hold a clue. Both the Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA), and the Gramm-Leach-Bliley Act of 1999, require healthcare providers and financial services firms, respectively, to implement privacy controls covering all their sensitive customer information over a period of time.

Before HIPAA, Oklahoma City-based Integris Health Inc., which manages 12 hospitals across the state, had no data security staff, and it relegated privacy protection to the information technology department.

No surprise, then, that anyone who worked at Integrisfrom physicians to orderlies, theoreticallyhad virtually free access to databases through poorly protected network accounts. But in 2001, Integris created a security group that has since designed a system that protects sensitive data, audits and approves access to systems containing patient records, uses biometrics to authenticate valid users (such as an ICU nurse taking care of a cardiac patient), guards against network intruders, and manages the downloading of information to mobile devices.

This has been an ambitious project, costing upward of $1 million. It would never have been undertaken had HIPAA not forced Integris to focus on data protection, says Randy Maib, the hospital chain's senior IT consultant. But now that the company has invested in privacy, Maib says, there is a clear change of heart. What was once less than an afterthought is now considered critical to Integris's performance.

"There was a study done by a university that said a company could see over a 5 percent decrease in profits if confidential information is accidentally disclosed," says Maib. "Healthcare is such a competitive environment that the potential loss is probably more than that. We may not have understood it well before, but now we know that we can't afford to ignore the level of privacy people expect of us."

Consumers can only hope that other companies get the same religioneither before, or after, the federal government forces them to.